From 82e325f96e0d2e3196aafdd059d4f8ba41606e66 Mon Sep 17 00:00:00 2001
From: Abubakr-Sadik Nii Nai Davis <dwa2pac@gmail.com>
Date: Sun, 15 Oct 2017 00:08:58 +0000
Subject: [PATCH] Update 1.8 node definition.
---
cfg/1.8/node.yaml | 638 +++++++++++++++++++++++++---------------------
1 file changed, 354 insertions(+), 284 deletions(-)
diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml
index de0f8b5..c8c51f2 100644
--- a/cfg/1.8/node.yaml
+++ b/cfg/1.8/node.yaml
@@ -1,6 +1,6 @@
---
controls:
-version: 1.7
+version: 1.8
id: 2
text: "Worker Node Security Configuration"
type: "node"
@@ -8,222 +8,297 @@ groups:
- id: 2.1
text: "Kubelet"
checks:
- - id: 2.1.1
- text: "Ensure that the --allow-privileged argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--allow-privileged"
- compare:
- op: eq
- value: false
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV
- parameter to \"--allow-privileged=false\""
- scored: true
+ - id: 2.1.1
+ text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--allow-privileged"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --allow-privileged=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.2
- text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--anonymous-auth"
- compare:
- op: eq
- value: false
- set: true
- remediation: "Edit the $kubeletconf file on the master node and set the
- KUBELET_ARGS parameter to \"--anonymous-auth=false\""
- scored: true
-
- - id: 2.1.3
- text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--authorization-mode"
- compare:
- op: nothave
- value: "AlwaysAllow"
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the
- KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
- scored: true
-
- - id: 2.1.4
- text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--client-ca-file"
- set: true
- remediation: "Follow the Kubernetes documentation and setup the TLS connection between
- the apiserver and kubelets. Then, edit the $kubeletconf file on each node
- and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
- scored: true
+ - id: 2.1.2
+ text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --anonymous-auth=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.5
- text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--read-only-port"
- compare:
- op: eq
- value: 0
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
- parameter to \"--read-only-port=0\""
- scored: true
-
- - id: 2.1.6
- text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- bin_op: or
- test_items:
- - flag: "--streaming-connection-idle-timeout"
- compare:
- op: noteq
- value: 0
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
- parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
- scored: true
+ - id: 2.1.3
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: nothave
+ value: "AlwaysAllow"
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --authorization-mode=Webhook
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.7
- text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--protect-kernel-defaults"
- compare:
- op: eq
- value: true
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
- parameter to \"--protect-kernel-defaults=true\""
- scored: true
+ - id: 2.1.4
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-ca-file"
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --client-ca-file=<path/to/client-ca-file>
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.8
- text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- bin_op: or
- test_items:
- - flag: "--make-iptables-util-chains"
- compare:
- op: eq
- value: true
- set: true
- - flag: "--make-iptables-util-chains"
- set: false
- remediation: "Edit the $kubeletconf file on each node and remove the
- --make-iptables-util-chains argument from the KUBELET_ARGS parameter."
- scored: true
+ - id: 2.1.5
+ text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--read-only-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --read-only-port=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.9
- text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--keep-terminated-pod-volumes"
- compare:
- op: eq
- value: false
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
- parameter to \"--keep-terminated-pod-volumes=false\""
- scored: true
+ - id: 2.1.6
+ text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--streaming-connection-idle-timeout"
+ compare:
+ op: noteq
+ value: 0
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --streaming-connection-idle-timeout=5m
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.10
- text: "Ensure that the --hostname-override argument is not set (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--hostname-override"
- set: false
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
- parameter to \"\""
- scored: true
+ - id: 2.1.7
+ text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--protect-kernel-defaults"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --protect-kernel-defaults=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.11
- text: "Ensure that the --event-qps argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--event-qps"
- compare:
- op: eq
- value: 0
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
- parameter to \"--event-qps=0\""
- scored: true
+ - id: 2.1.8
+ text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--make-iptables-util-chains"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and remove the --make-iptables-util-chains argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.12
- text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--tls-cert-file"
- set: true
- - flag: "--tls-private-key-file"
- set: true
- remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
- Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
- parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
- \"--tls-private-key-file=<path/to/tls-key-file>\""
- scored: true
+ - id: 2.1.9
+ text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--keep-terminated-pod-volumes"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --keep-terminated-pod-volumes=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.13
- text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "--cadvisor-port"
- compare:
- op: eq
- value: 0
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
- to \"--cadvisor-port=0\""
- scored: true
+ - id: 2.1.10
+ text: "Ensure that the --hostname-override argument is not set (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--hostname-override"
+ set: false
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and remove the --hostname-override argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.14
- text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "RotateKubeletClientCertificate"
- compare:
- op: eq
- value: true
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
- to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
- scored: true
+ - id: 2.1.11
+ text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--event-qps"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --event-qps=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- - id: 2.1.15
- text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
- audit: "ps -ef | grep $kubeletbin | grep -v grep"
- tests:
- test_items:
- - flag: "RotateKubeletServerCertificate"
- compare:
- op: eq
- value: true
- set: true
- remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
- to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
- scored: true
+ - id: 2.1.12
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--tls-cert-file"
+ set: true
+ - flag: "--tls-private-key-file"
+ set: true
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
+ Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-
+ kubeadm.conf on each worker node and set the below parameters in
+ KUBELET_CERTIFICATE_ARGS variable.
+ --tls-cert-file=<path/to/tls-certificate-file>
+ file=<path/to/tls-key-file>
+ --tls-private-key-
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 2.1.13
+ text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--cadvisor-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
+ --cadvisor-port=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 2.1.14
+ text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "RotateKubeletClientCertificate"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and remove the --feature-
+ gates=RotateKubeletClientCertificate=false argument from the
+ KUBELET_CERTIFICATE_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 2.1.15
+ text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "RotateKubeletServerCertificate"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: |
+ Edit the kubelet service file $kubeletunitfile
+ on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+ --feature-gates=RotateKubeletServerCertificate=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
- text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
- audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
+ text: "Ensure that the kubelet.conf file permissions are set to 644 or
+ more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
@@ -242,13 +317,15 @@ groups:
op: eq
value: "600"
set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $kubernetesconf"
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chmod 644 $kubeletconf
scored: true
- id: 2.2.2
- text: "Ensure that the config file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
+ text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
@@ -256,115 +333,108 @@ groups:
op: eq
value: root:root
set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $kubernetesconf"
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chown root:root /etc/kubernetes/kubelet.conf
scored: true
- id: 2.2.3
- text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
- audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+ text: "Ensure that the kubelet service file permissions are set to 644 or
+ more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'"
tests:
bin_op: or
test_items:
- - flag: "644"
- compare:
- op: eq
- value: 644
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $kubeletconf"
+ - flag: "644"
+ compare:
+ op: eq
+ value: 644
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chmod 755 $kubeletunitfile
scored: true
- id: 2.2.4
- text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+ text: "Ensure that the kubelet service file permissions are set to 644 or
+ more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'"
tests:
test_items:
- - flag: "root:root"
- set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $kubeletconf"
+ - flag: "root:root"
+ set: true
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chown root:root $kubeletunitfile
scored: true
- id: 2.2.5
- text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
+ text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
+ restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests:
bin_op: or
test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chmod 644 $proxyconf"
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chmod 644 $proxyconf
scored: true
- id: 2.2.6
- text: "Ensure that the proxy file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
+ text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
tests:
test_items:
- - flag: "root:root"
- set: true
- remediation: "Run the below command (based on the file location on your system) on the each worker node.
- \nFor example, chown root:root $proxyconf"
+ - flag: "root:root"
+ set: true
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker
+ node. For example,
+ chown root:root $proxyconf
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
- 644 or more restrictive (Scored)"
- audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: "Run the following command to modify the file permissions of the --client-ca-file
- \nchmod 644 <filename>"
+ 644 or more restrictive (Scored)"
+ type: manual
+ remediation: |
+ Run the following command to modify the file permissions of the --client-ca-file
+ chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
- tests:
- test_items:
- - flag: "notexist:notexist"
- set: true
- remediation: "Run the following command to modify the ownership of the --client-ca-file.
- \nchown root:root <filename>"
+ type: manual
+ remediation: |
+ Run the following command to modify the ownership of the --client-ca-file .
+ chown root:root <filename>
scored: true
--
GitLab